Now that I have all the IP addresses, I will add them to a notepad as a TCL script so that I can copy and paste into a router when I want to connect reachability.tclshforeach ip {10.1.13.110.0.1.110.1.24.210.1.13.210.0.2.210.1.13.310.0.3.310.1.24.410.0.4.4} {ping $ip}

I can keep this in notepad, and copy and paste it whenever I want to test reachability.

Here's the result of pasting it onto R1.R1(tcl)#foreach ip {+>(tcl)#10.1.13.1+>(tcl)#10.0.1.1+>(tcl)#10.1.24.2+>(tcl)#10.1.13.2+>(tcl)#10.0.2.2+>(tcl)#10.1.13.3+>(tcl)#10.0.3.3+>(tcl)#10.1.24.4+>(tcl)#10.0.4.4+>(tcl)#} {ping $ip+>(tcl)#}

Thursday, September 22, 2011

R2 will serve as the IPS preventing specific traffic between R1 and R3.

To begin with IOS IPS, I must download the IPS files from Cisco.com
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId=268438162
and the public crypto key used by IOS IPS http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt

Next, I will create a directory on R2 to store the IPS signature files and configurations.R2#mkdir IPSCreate directory filename [IPS]? Created dir flash:/IPSR2#dirDirectory of flash:/

Now I'll copy the contents of the key realm-cisco.pub.key.txt to R2 to configure the crypto key used by IOS IPS.R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z.R2(config)#crypto key pubkey-chain rsaR2(config-pubkey-chain)# named-key realm-cisco.pub signatureTranslating "realm-cisco.pub"

R2(config-pubkey-key)# key-stringEnter a public key as a hexidecimal number ....

Now, I'll create a rule name that will be used on an interface, point IOS IPS to the directory that will contain the IPS signature files, and enable IPS SDEE and log notifications. Note that SDEE notifications will not work unless ip http server is enabled.R2(config)#ip ips name IOSIPSR2(config)#ip ips config location flash:IPSR2(config)#ip ips notify sdeeR2(config)#ip ips notify logR2(config)#ip http server

To load the IOS IPS signature file I downloaded earlier, I created an FTP server at 192.168.1.1 and connected to it with R2's VLAN2 interface, 192.168.1.2. I'll use FTP to copy the file with the parameter "idconf". This parameter initiates the compliing process once the copy is complete.R2#copy ftp://jason:cisco@192.168.1.71/IOS-S595-CLI.pkg idconfLoading IOS-S595-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 13572723/4096 bytes]

R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

The is in place with all relevant interfaces enabled.

With ZFW, I first need to create the zones. In this case, I only need INSIDE and OUTSIDE.R2(config)#zone security INSIDE R2(config-sec-zone)#zone security OUTSIDE

I have R1, R2, R3, R4 and R5. I want to use Zone-Based Firewall Policy to create a security policy that I can apply to R2.

I want R2's Fa0/0 and Fa0/1 interfaces to serve as the INSIDE interfaces, Se0/0/0 to serve as the EXTRANET interface, and Se0/1/0 to serve as the OUTSIDE interface. With the Fa0/0 and Fa0/1 interfaces in the same zone, I won't have to configure any rule allowing traffic between them, as interfaces in the same zone will allow traffic to pass by default. I am simulating a web server in the EXTRANET zone on R4. I want to allow HTTP and ICMP access from the INSIDE zone to the EXTRANET zone, as well as from the OUTSIDE zone to the EXTRANET zone. Additionally, I want the INSIDE zone to be able to telnet to R4. I want to allow access for TCP, UDP, TELNET, HTTP, and ICMP from the INSIDE zone to the OUTSIDE zone, but prevent access from downloading .exe files.

Like previous IP Inspect and TCP Intercept configurations, I want to use a parameter-map to control the timeout for TCP connections after a SYN packet and no further data to 5 seconds, the max-incomplete low of 5, and high of 10, with a one minute low of 10 and a high of 20.I want to rate limit traffic from the OUTSIDE to the web server on the EXTRANET zone to 128000 bytes per second.

When using Zone-Based Firewall, traffic directed to the router will be allowed by default, but I can limit this by applying a policy to a zone-pair between a specified source and the self zone. In my case, I want to allow the EIGRP routing protocol traffic along with ICMP to be allowed to any of R2's interfaces, except for the INSIDE interfaces, where I want to additionally allow telnet traffic for management.

Since I want to also allow telnet to R4 on the EXTRANET from the INSIDE zone, I'll create another class-map to match this traffic.R2(config-ext-nacl)#class-map type inspect match-any CMAP_INSIDE_TO_EXTRANET_MGMTR2(config-cmap)#match protocol telnet

In order to block .exe files from being downloaded, I will have to create a separate class-map which only specifies the http traffic.R2(config)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTPR2(config-cmap)#match protocol http

In order to block .exe files from being downloaded, I will create a parameter-map matching the regex pattern for .exe.R2(config)#parameter-map type regex PARAM_DROP_EXER2(config-profile)#pattern .*\.([Ee][Xx][Ee])

From the OUTSIDE and EXTRANET zones I will limit traffic going to the self zone to routing protocol and ICMP traffic . I'll create an ACL to match the EIGRP traffic. Note:Some routing protocols can be matched directly within the class-map, others such as EIGRP require an ACL to be matched reference the EIGRP ACL and match the it in a class-map.R2(config)#ip access-list extended ACL_EIGRPR2(config-ext-nacl)#permit eigrp any anyR2(config-ext-nacl)#exitR2(config)#class-map type inspect match-any CMAP_TO_SELFR2(config-cmap)#match access-group name ACL_EIGRP R2(config-cmap)#match protocol icmp

Now, I'll create the policy-maps to define what should happen to the traffic.

Rate limiting can be done with QoS, but I'll apply a police statement to this policy map (type inspect) along with the PARAM_PROTECT_TCP parameter-map. This approach can be useful since once this is applied to a zone-pair, and it would automatically be in use if another interface were added to the OUTSIDE zone.

I'll create another policy-map for the INSIDE to EXTRANET traffic. I could have assigned the same policy-map in use for the OUTSIDE to EXTRANET zones, but in this case, I want to create another policy-map and also pass telnet and EIGRP traffic from the INSIDE to EXTRANET zone.R2(config)#policy-map type inspect PMAP_INSIDE_TO_EXTRANETR2(config-pmap)#class type inspect CMAP_INSIDE_TO_EXTRANET_MGMTR2(config-pmap-c)#inspectR2(config-pmap-c)#class type inspect CMAP_TO_EXTRANET R2(config-pmap-c)#inspect

I'll create a a policy-map for INSIDE to OUTSIDE traffic, and call the class-maps I created for allowed traffic, and disallowed traffic. I'll start with creating a policy-map (type inspect http), and nest the class-map that was created to block .exe files, and set an action of reset. This will then be nested in the main policy-map for INSIDE to OUTSIDE traffic. It's important to understand the order that the "class type inspect" statements are added are the order that they are ran. Since http is a tcp protocol, if I add the class containing the "match protocol tcp" statement before the class containing the "service-policy http" statement, then it would be allowed instead of reset.R2(config)#policy-map type inspect http PMAP_BLOCK_EXER2(config-pmap)#class type inspect http CMAP_BLOCK_EXER2(config-pmap-c)#resetR2(config-pmap-c)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDER2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTPR2(config-pmap-c)#inspect R2(config-pmap-c)#service-policy http PMAP_BLOCK_EXER2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDER2(config-pmap-c)#inspect

Now that the zone-pairs have been created, I will assign the interfaces to their respective zones.R2(config)#interface fa0/1R2(config-if)#zone security INSIDER2(config-if)#exitR2(config)#interface fa0/0R2(config-if)#zone security INSIDER2(config-if)#exitR2(config)#interface se0/0/0R2(config-if)#zone security EXTRANETR2(config-if)#exitR2(config)#interface se0/1/0R2(config-if)#zone security OUTSIDER2(config-if)#endR2#

This completes the configuration.

Now I'll verify that the configuration is operational.

First I'll verify that the zones have been applied and the correct interfaces have been assignedR2#show zone securityzone self Description: System defined zone

Next I'll verify that the INSIDE to EXTRANET communication is working correctly. I should be able to ping and telnet to R4, and R5 should be able to ping, but NOT telnet. I'll use the loopback address to communicate to the web server on R4.

This works as expected, but I should be able to access the web service on R4 from R5. I'll test copying a .txt file, as well as a .exe file. Note that they will both be allowed as the configuration to block .exe files is not applied to this zone-pair.R5#copy http://jason:cisco@10.0.4.4/test.txt null:Loading http://***********@10.0.4.4/test.txt !1784 bytes copied in 0.604 secs (2954 bytes/sec)R5#R5#copy http://jason:cisco@10.0.4.4/test.exe null:Loading http://***********@10.0.4.4/test.exe !51 bytes copied in 0.224 secs (228 bytes/sec)R5#

Now I'll test from the INSIDE to the OUTSIDE. I should be able to gain access to the web server running on R5, but I should not be able to access the .exe file.R1#ping 10.1.25.5

This works as expected. Transferring a .exe file should result in an I/O error.R1#copy http://jason:cisco@10.1.25.5/test.exe null:%Error opening http://jason:cisco@10.1.25.5/test.exe (I/O error)

As mentioned previously in the policy-map for PMAP_INSIDE_TO_OUTSIDE, I could encounter an undesirable result if I ordered the classes differently. If I add the CMAP_INSIDE_TO_OUTSIDE_HTTP class after the CMAP_INSIDE_TO_OUTSIDE class, then the inspect statement under the CMAP_INSIDE_TO_OUTSIDE class would allow http traffic, including .exe files since I have tcp listed within that class. I'll change the order and see if I can copy the test.exe file.R2(config-pmap)#exitR2(config)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDER2(config-pmap)#no class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTPR2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP R2(config-pmap-c)#inspectR2(config-pmap-c)#service-policy http PMAP_BLOCK_EXER2(config-pmap-c)#do show run | section policy-map type inspect PMAP_INSIDE_TO_OUTSIDE policy-map type inspect PMAP_INSIDE_TO_OUTSIDE class type inspect CMAP_INSIDE_TO_OUTSIDE inspect class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP inspect service-policy http PMAP_BLOCK_EXE class class-default drop

Note that the class CMAP_INSIDE_TO_OUTSIDE_HTTP is now ordered after the class CMAP_INSIDE_TO_OUTSIDE. Now I'll attempt to copy a .exe file to R1 from R5.R1#copy http://jason:cisco@10.1.25.5/test.exe null:Loading http://***********@10.1.25.5/test.exe !2278 bytes copied in 0.240 secs (9492 bytes/sec)

It is allowed as expected.

I currently have a telnet session open initiated from R1 to R5. I want to view statistics related to this on the firewall. I'll use show policy-map type inspect zone-pair security PMAP_INSIDE_TO_OUTSIDE sessions:R2#show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions

Wednesday, September 21, 2011

I have R1, R2, R3, and R4. I want to use Transparent Cisco IOS Firewall to help create a security policy that I can apply to R2.

R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

Since R1 and R3 are both on the same subnet, my first step is to configure bridging on R2. I will apply the bridge group to the two FastEthernet interfaces, enable a BVI interface, and assign it an IP address on the 10.1.13.0/24 network.R2(config)#bridge 1 protocol ieeeR2(config)#interface fa0/0R2(config-if)#bridge-group 1R2(config-if)#interface fa0/0R2(config-if)#bridge-group 1R2(config-if)#bridge irbR2(config)#bridge 1 route ipR2(config)#interface bvi1R2(config-if)#ip address 10.1.13.2 255.255.255.0R2(config-if)#no shut

The fa0/0 and fa0/1 interfaces are already enabled on R2 with no ip addresses assigned, and there have been no rules configured to filter any traffic. At this point, I should be able to ping between R1 and R3.R1#ping 10.1.13.3

Next I'll write the ip inspect rules for the OUTSIDE and INSIDE interfaces.R2(config)#ip inspect name INSIDE httpR2(config)#ip inspect name INSIDE icmpR2(config)#ip inspect name OUTSIDE telnetR2(config)#ip inspect name OUTSIDE icmp

I will also need to write ACLs for the INSIDE and OUTSIDE interfaces to allow access for the INSIDE to R3 on TCP 80 as well as sending echo and echo replies. I also want to allow access for the OUTSIDE to telnet to R1 as well as sending echo and echo replies.R2(config)#ip access-list extended INSIDE_LISTR2(config-ext-nacl)# permit tcp any host 10.1.13.3 eq wwwR2(config-ext-nacl)# permit icmp any host 10.1.13.3 echoR2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo-replyR2(config-ext-nacl)# deny ip any host 10.1.13.3R2(config-ext-nacl)# permit ip any anyR2(config-ext-nacl)#ip access-list extended OUTSIDE_LISTR2(config-ext-nacl)# permit tcp any host 10.1.13.1 eq telnetR2(config-ext-nacl)# permit icmp any host 10.1.13.1 echoR2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo-replyR2(config-ext-nacl)# deny ip any host 10.1.13.1R2(config-ext-nacl)# permit ip any any

Wednesday, September 14, 2011

I have R1, R2, and R3, and I want to use CBAC to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network.

I want to use Context Based Access Control when allowing the inside segment access to services on the outside segment, and to inspect TCP, UDP, HTTP, Telnet, ICMP and TFTP traffic. I want to collect audit statistics on TFTP traffic and have a UDP session inactivity timeout of 20 seconds. For the HTTP inspected traffic I do not want to allow Java applets to be downloaded from R3 with the host address of 10.0.3.3. For Telnet traffic, I want to ensure traffic is inspected while using TCP port 33 to connect from R1 to R3 by adding to R2's port-maps. I want to allow the inside segment to receive responses when using traceroute. I will assume a maximum of 2000 sessions open concurrently, and will adjust the CBAC hash table from its default 1024, to 2048. I want to allow the outside segment access to TCP 80 on R1, allow my routing protocol, disallow ping responses, and I want to configure TCP intercept with CBAC.

Before I begin the CBAC configuration steps, I want to visit the TCP Intercept feature and verify its operation; as CBAC incorporates this feature into its operation.

The TCP intercept feature works as it's described; it intercepts TCP connections. In my scenario, R1 is hosting HTTP services, and R2 will be configured to intercept TCP SYN packets when R3 attempts to make a connection to R1. TCP intercept can be configured to be the middle man in the 3 way handshake, or observe the handshake process. In either case, I can configure R2 to drop half open connections by dropping the connection itself, or by sending reset (RST) messages on the protected server's behalf.

I'll configure R2 to protect the web server on R2, operate in intercept mode with a connection-timeout of 5 seconds. Additionally, I will set the router to begin dropping packets, oldest first, when maximum number of half open connections equals 10 and continue to drop until the half open connections reaches 5. Furthermore, I want to protect against SYN flood attacks by dropping SYN packets when the rate of 20 per minute occur, and to resume once that rate has lessened to 10 per minute.R2(config)#access-list 101 permit ip any host 10.1.12.1R2(config)#ip tcp intercept list 101R2(config)#ip tcp intercept mode intercept R2(config)#ip tcp intercept connection-timeout 5 R2(config)#ip tcp intercept max-incomplete low 5 high 10 R2(config)#ip tcp intercept drop-mode oldest R2(config)#ip tcp intercept one-minute low 10 high 20

Note that ah ACL is required to identify traffic when using TCP intercept.

R2 attepts to retransmit R1's SYN-ACK until the exponential timer expires when the connection is reset.

With that, I'll remove the previous ip tcp intercept commands, and move on to configure R2 as a stateful firewall with CBAC.

CBAC only inspects TCP and UDP traffic. If other services need to be filtered I must use an access-lists instead.

The difference between reflexive ACLs and CBAC is that reflexive ACLs rely on the return traffic being a mirror of the sent traffic, where CBAC will use an application inspection engine per application to inspect traffic, and is aware of the application's conversation.

I'll create an inspection rule called CBAC for TCP, UDP, HTTP, Telnet, and ICMP traffic. As mentioned before, since UDP is connectionless, there will be no FIN packet to finish sessions, so I'll configure a UDP session inactivity timeout of 20 seconds. Also, I will create an ACL to tie the HTTP inspection to allow Java applets from only the host address of 10.0.3.3.R2(config)#access-list 10 permit host 10.0.3.3 R2(config)#ip inspect name CBAC tcpR2(config)#ip inspect name CBAC udp audit-trail on timeout 20R2(config)#ip inspect name CBAC http java-list 10R2(config)#ip inspect name CBAC telnet R2(config)#ip inspect name CBAC icmp

As mentioned some telnet traffic could use destination TCP port 33, I will map TCP 33 to telnet so that it is inspected as well.R2(config)#ip port-map telnet port 33R2(config)#do show ip port-map | include user Default mapping: telnet tcp port 33 user defined

According to Cisco recommendations, I should try to maintain a 1:1 ratio between the number of sessions and the size of the hash table. By default there are 1024 buckets. Since I will have a maximum number of concurrent sessions of 2000, I will double the number of the default bucket size.R2(config)#ip inspect hashtable-size 2048

To verify that the inspection rule has been applied to to correct interface and direction, I will use show ip inspect interfaces.R2#show ip inspect interfacesInterface Configuration Interface Serial0/1/0 Inbound inspection rule is not set Outgoing inspection rule is CBAC tcp alert is off audit-trail is off timeout 3600 udp alert is off audit-trail is on timeout 20 http java-list 10 alert is off audit-trail is off timeout 3600 telnet alert is off audit-trail is off timeout 3600 icmp alert is off audit-trail is off timeout 10 Inbound access list is OUTSIDE_IN Outgoing access list is not set

Tuesday, September 13, 2011

I have R1, R2, and R3, and I want to use NBAR to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network. I want to prevent inside users from accessing the bittorrent and edonkey protocols, and from downloading .exe files from HTTP sites.

To accomplish this, I'll create a class-map on R2 for matching any of the relevant traffic, create a policy-map which will call the class-map and drop the traffic, and then apply that policy-map to the outside interface of R2.R2(config)#class-map match-any CLASS_PROTECTR2(config-cmap)#match protocol bittorrentR2(config-cmap)#match protocol edonkey R2(config-cmap)#match protocol http url *.exe

I'll then create a policy-map for dropping the traffic matched in the class-map.R2(config-cmap)#policy-map POLICY_DROP_CLASS_PROTECTR2(config-pmap)#class CLASS_PROTECTR2(config-pmap-c)#drop

I will now apply the policy-map to the outside interface.R2(config-pmap)#int s0/1/0R2(config-if)#service-policy input POLICY_DROP_CLASS_PROTECT

I won't simulate bittorrent or edonkey, but I will verify that the policy is filtering out .exe files.

I'll connect to R3 and create a file with an extension of .exe, and set the ip http pathR3#copy run slot0:/test.exeDestination filename [test.exe]?

I'll first test that I can copy the IOS image from R3 to R1.R1#copy http://jason:cisco@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin null:Loading http://***********@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin !!!!!!!!!!!!!!!!!!!!